Re: activex questions
From: JoshB (metrix007@yahoo.com)
Date: 04/11/03
- Next message: Spehro Pefhany: "Re: Coping with predatory business and evil in life?"
- Previous message: Douglas A. Gwyn: "Re: Request feedback about security model"
- In reply to: sponge: "Re: activex questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: metrix007@yahoo.com (JoshB) Date: 11 Apr 2003 12:57:31 -0700
mtubi@python.net (sponge) wrote in message news:<3e963f9b.6519693@news.rcn.com>...
> On 10 Apr 2003 07:22:30 -0700, metrix007@yahoo.com (JoshB) wrote:
>
> >HI,
> >
> >I have been researching this, and there are some things that are not
> >clear.
> >
> >By default, is it possible for hostile active code to execute without
> >user interaction, not including vulnerabilities?
>
> Yes, and it is an extremely common practice. Do a Yahoo on drive-by
> downloads or browser hijackings, or read more at cexx.org and
> www.spywareinfo.com.
>
> >What exactly is activex scripting capable of, I notice it is suggested
> >to enable it, and it is enabled by default.
>
> Anything and everything any other application is capable of. There is
> no sandbox with ActiveX, so there are no security features.
>
> >ACtivex has complete control of target system?
>
> Yes.
>
> >Is it possible to "spoof" activex controls, so if one purports to be
> >from a trusted corp, ie ms, it will automaticly run without user
> >interaction?
>
> Again, happens all the time. Here's also a good site:
> www.doxdesk.com.parasite
>
> >Are there any examples of pages that can automaticly run code, install
> >spyware etc without user interaction, and without taking advantaged of
> >vulnerabilities?
>
> The site just mentioned will be loaded with examples. Even Yahoo uses
> this installation method for their "browser toolbar", although at
> least they don't put it on their front page.
>
> >I had assumed the above was possible, and a *lot* of people do,
> >however I am unable to find evidence of this..
>
> Although I could provide the code itself you can get it straight from
> the various links provided in each parsite review on the Doxdesk site.
> Most use signed certificates so there will be no prompting of the
> downloading and installation functions. Usually, these will be
> predicated on a called to Microsft/Verisign or Thawte. If you have
> Microsoft or Thawte's IP range blocked, the download will not occur
> because it cannot authenticate.
>
> >Thanks for any explanations.
>
> Although it's a good idea to harden Internet Explorer against this
> (have an explanation on my site) the better solution is to simply not
> use IE. Then the problem of browser hijackings and various other
> exploits almost completely goes away.
> This is not to say that there are not exploits for other browsers --
> there are -- but since 90% of the world's computers are based on MS
> Windows, and 100% of Windows installations come with IE, then 90% of
> the world is potentially vulnerable.
> There is an ActiveX plugin for Mozilla. I have not evaluated it but it
> is probably as vulnerable as IE if installed.
>
>
> Sponge
> Sponge's Anti-Spyware Page
> www.geocities.com/yosponge
just an update...ive visted more than half of the sites on doxdesk
site, and have not had anything installed silently. using winxp with
default ie, security set to default.
- Next message: Spehro Pefhany: "Re: Coping with predatory business and evil in life?"
- Previous message: Douglas A. Gwyn: "Re: Request feedback about security model"
- In reply to: sponge: "Re: activex questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
